1. Overview
.git collects, processes, and stores data strictly in accordance with applicable privacy laws, including but not limited to the GDPR, CCPA, and SOC 2 Type II requirements. This document outlines how long we retain different categories of data, the conditions under which data is retained beyond standard periods, and how you can manage or request deletion of your information.
All retention periods are measured from the date of the last active event associated with the data (e.g., last login, last commit, last API call, or explicit account deactivation).
2. Standard Retention Periods
The following table defines the default retention windows for core data categories. These periods automatically trigger secure deletion or anonymization unless a legal hold or compliance exception applies.
| Data Category | Retention Period | Disposition |
|---|---|---|
| Account & Profile Data | 30 days post-deactivation | Secure deletion |
| Repository & Code Assets | 90 days post-repo deletion | Cryptographic shredding |
| Deployment Logs & Artifacts | 12 months (Pro/Enterprise) | Automatic archival & purge |
| CI/CD Pipeline Runs | 6 months | Anonymized metrics retained |
| Authentication & Session Logs | 90 days | Secure overwrite |
| Billing & Invoice Records | 7 years | Archived (tax compliance) |
| Support Tickets & Communications | 2 years | Redacted & archived |
| Telemetry & Usage Analytics | 13 months | Aggregated & anonymized |
A 14-day soft-deletion grace period applies to user-initiated deletions. During this window, data remains recoverable only by authorized team administrators with MFA-verified access.
3. Data Classification & Storage
.git classifies stored data into three tiers based on sensitivity and processing requirements:
- Personal Identifiable Information (PII): Names, emails, IP addresses, billing details. Encrypted at rest (AES-256) and in transit (TLS 1.3). Stored in isolated compliance buckets.
- Development Assets: Source code, configuration files, environment variables, build artifacts. Stored with customer-managed keys (CMEK) for Enterprise plans.
- Operational Metadata: Logs, metrics, audit trails, telemetry. Aggregated, indexed, and subject to strict lifecycle policies.
All data residency can be pinned to specific geographic regions (US, EU, APAC) per Enterprise contract terms. Cross-border transfers strictly follow Standard Contractual Clauses (SCCs) and data transfer impact assessments (DTIA).
4. User Controls & Deletion Requests
You maintain full sovereignty over your data. The following controls are available directly within the .git dashboard:
- Export: Download complete snapshots of repositories, logs, and account settings in standard formats (`.tar.gz`, `.json`, `.csv`).
- Revoke Integrations: Instantly terminate third-party OAuth tokens, webhooks, and CI/CD connections.
- Schedule Deletion: Queue future account, repository, or organization deletion with configurable delay (1โ30 days).
- Right to Erasure: Submit formal DSR (Data Subject Request) forms via the Privacy Portal. Processing occurs within 30 calendar days.
Deletion of organizations or primary repositories triggers cascading removal of all associated artifacts, CI/CD history, and edge cache copies. This cannot be undone after the grace period expires.
5. Legal & Compliance Exceptions
Certain data may be retained beyond standard periods when required by law, litigation holds, or active security investigations. These exceptions include:
- Active Investigations: Data may be preserved for up to 12 months during internal or third-party security audits, abuse investigations, or breach response procedures.
- Legal Holds: Court orders, regulatory subpoenas, or law enforcement requests may suspend deletion workflows until the hold is formally lifted.
- Tax & Financial Records: Billing, invoices, and payment processor records are retained for 7 years regardless of account status, per standard accounting regulations.
- Abuse Prevention: Device fingerprints, rate-limit metadata, and abuse reports are retained for 24 months to prevent recurrent policy violations.
All legal holds are documented, audited quarterly, and automatically reviewed for expiration. You will be notified of any legal hold affecting your data where legally permissible.
6. Compliance Frameworks
.git's data retention practices are validated and continuously audited against the following standards:
- SOC 2 Type II: Security, Availability, and Confidentiality principles. Annual independent audit by [Auditor Firm Redacted].
- GDPR (EU 2016/679): Lawful basis processing, Data Protection Impact Assessments (DPIA), and DPO oversight.
- CCPA/CPRA (California): Consumer rights fulfillment, opt-out mechanisms, and service provider restrictions.
- ISO 27001:2022: Information security management, asset disposal procedures, and media sanitization standards.
- HIPAA BAA: Available for Enterprise Healthcare plans. ePHI retention aligns with 45 CFR ยง164.530.
Full compliance reports, audit certificates, and security documentation are available upon request or via the Trust Center.
7. Contact & Support
For questions regarding this policy, data retention schedules, or to submit a formal data request, please contact:
- Privacy & Compliance Team:
privacy@.git - Enterprise Data Requests:
compliance@.git - Security Hotline:
security@.git(PGP key available) - Mailing Address: .git Inc., 100 Developer Way, Suite 400, San Francisco, CA 94107
All requests are tracked, assigned a unique reference ID, and responded to within the statutory timeframe. You may track request status via the Privacy Portal or by replying to your confirmation email.
This policy is reviewed annually or following material changes to our services, infrastructure, or applicable regulations. Updates will be published to this document with a revised version number and effective date.